Resource scheduler within a network device

ABSTRACT

A network device is described in which a dedicated resource scheduler monitors memory consumption to provide for improved processing of communication sessions. The scheduler maintains a dependency list of communication sessions, and reserves memory for communication sessions as requests for memory are received. The amount of memory reserved is determined based on the amount of memory currently reserved for the communication sessions in the dependency list. The network device may control ongoing communication sessions by way of window manipulation. Communication sessions are processed in a first mode when available memory has not reached a predetermined amount, while communication sessions are processed in a second mode when available memory reaches a predetermined amount.

This application claims the benefit of U.S. Provisional Application No.60/882,737, filed Dec. 29, 2006, the entire content of which isincorporated herein by reference.

TECHNICAL FIELD

The invention relates to computer networks, and for example, toprocessing data flows in computer networks.

BACKGROUND

A typical computer network, such as an internet protocol (IP)-basednetwork, supports communications between various network devices. Thedevices may, for example, include personal computers, laptops,workstations, personal-digital assistants (PDAs), wireless devices,network-ready appliances, file servers, print servers, routers, or otherdevices. When two devices communicate, the devices establish acommunication session using a communication protocol, such as thetransmission control protocol (TCP). Devices, referred to as routers,forward packets associated with the communication sessions through thephysical network that connects the devices. The flow of packets betweenthe devices for a TCP session is commonly referred to as a TCP flow.

Various kinds of processing of the TCP flow can be done by intermediatedevices placed along the path taken by packets that constitute the TCPflow. Some examples of the kinds of processing currently performed onTCP flows between devices include data compression, encryption anddecryption, TCP acceleration, application-layer acceleration, anti-virusprocessing, and intrusion detection and prevention.

SUMMARY

In general, the invention is directed to techniques for scheduling theprocessing of incoming packets received on communication sessions toregulate memory consumption and avoid dropping the communicationsessions. The technique may be applied by an intermediate device locatedbetween network devices. For example, the techniques may be applied byan anti-virus device that monitors traffic flowing within an enterprisenetwork between an external network and internal computing nodes.

The techniques described herein may be applied in the context of certainapplications, such as anti-virus scanners. These applications oftenrequire that an entire file be accumulated before any of the file isanalyzed and forwarded to the destination server or client (i.e.,“file-based” anti-virus scanning). For network devices that do not havesecondary storage or do not want to use secondary storage forperformance considerations, main random access memory (RAM) can run outquickly, causing service interruptions. For example, a situation mayoccur where multiple files have been partially received, and thepartially received files use up the RAM. As a result, none of the filescan be fully received and processed, and so the sessions time out andare dropped. The techniques described herein may be applied to avoidproblems associated with conventional intermediate devices, such asrandomly dropping ongoing sessions when the main memory is exhausteduntil memory becomes available to handle new incoming packets.

In one example embodiment, the techniques provide a dedicated schedulerthat monitors memory consumption to provide for improved processing ofcommunication sessions such as Transmission Control Protocol (TCP)sessions. The scheduler maintains a dependency list of TCP sessions, andreserves memory for TCP sessions as requests for memory are received.The amount of memory reserved is determined based on the amount ofmemory currently reserved for the communication sessions already in thedependency list. Moreover, in certain example embodiments, thetechniques reserve memory in an attempt to guarantee that at least onesession is always able to complete processing, thus avoiding situationswhere high traffic volumes overload the device.

The techniques may control ongoing TCP sessions by way of TCP windowmanipulation. For example, in the absence of any memory bottleneck, thescheduler operates in a normal mode in which the TCP windows for allongoing sessions remain open. When the scheduler detects a bottleneckcondition, the scheduler begins to operate in a constrained mode, inwhich the TCP windows for all but the first TCP session on thedependency list are gradually closed. The scheduler has previouslyreserved enough memory for the first session in the dependency list tocomplete operation. The scheduler allows the first session to finishbefore reopening the TCP window of the next session on the dependencylist. In this manner, sessions are processed in series in the orderlisted on the dependency list, and at least one session at a time isguaranteed to finish while the scheduler is in the constrained mode.Once the bottleneck condition has subsided, the scheduler initiatesopening of all the TCP windows, and resumes processing the sessions inparallel in accordance with the normal mode.

In one example embodiment, a method comprises maintaining a dependencylist of communication sessions, wherein the dependency list specifies anorder in which to process the communications sessions, and wherein foreach communication session the dependency list specifies an amount ofmemory currently reserved for the communication session. The methodfurther comprises receiving a request to reserve memory for processing anew communication session, and determining whether an amount of memoryrequired to process the new communication session is greater than atotal amount of memory reserved for the communication sessions alreadylisted within the dependency list. The method further comprises when theamount of memory required to process the new communication session isgreater than the total amount of memory reserved for the communicationsessions already listed within the dependency list, reserving memory forthe new communication session in an amount equal to a difference betweenthe amount of memory required to process the new communication sessionand the total amount of memory currently reserved for the communicationsessions already listed to guarantee that processing of the newcommunication session can be completed upon processing the communicationsessions already listed within the dependency list. The method alsoincludes processing the communication sessions with the security devicein accordance with the dependency list.

In another example embodiment, a network security device comprises ascheduler that maintains a dependency list of communication sessions,wherein the dependency list specifies an order in which to process thecommunications sessions, and wherein for each communication session thedependency list specifies an amount of memory currently reserved for thecommunication session. The network security device further includes aproxy module that receives a request to reserve memory for processing anew communication session. The scheduler determines whether an amount ofmemory required to process the new communication session is greater thana total amount of memory reserved for the communication sessions alreadylisted within the dependency list. When the amount of memory required toprocess the new communication session is greater than the total amountof memory reserved for the communication sessions already listed withinthe dependency list, the scheduler reserves memory for the newcommunication session in an amount equal to a difference between theamount of memory required to process the new communication session andthe total amount of memory currently reserved for the communicationsessions already listed to guarantee that processing of the newcommunication session can be completed upon processing the communicationsessions already listed within the dependency list. The network securitydevice further includes an anti-virus engine that processes thecommunication sessions in accordance with the dependency list.

In yet another example embodiment, a computer-readable medium containsinstructions that cause a programmable processor to maintain adependency list of communication sessions, wherein the dependency listspecifies an order in which to process the communications sessions, andwherein for each communication session the dependency list specifies anamount of memory currently reserved for the communication session. Theinstructions further cause the programmable processor to receive arequest to reserve memory for processing a new communication session,and determining whether an amount of memory required to process the newcommunication session is greater than a total amount of memory reservedfor the communication sessions already listed within the dependencylist. The instructions further cause the programmable processor to, whenthe amount of memory required to process the new communication sessionis greater than the total amount of memory reserved for thecommunication sessions already listed within the dependency list,reserve memory for the new communication session in an amount equal to adifference between the amount of memory required to process the newcommunication session and the total amount of memory currently reservedfor the communication sessions already listed to guarantee thatprocessing of the new communication session can be completed uponprocessing the communication sessions already listed within thedependency list. The instructions further cause the programmableprocessor to process the communication sessions with the security devicein accordance with the dependency list.

In a further example embodiment, an anti-virus device for processingcommunication sessions comprises an internal memory, an anti-virusengine that performs file-based anti-virus scanning on network trafficreceived via the communication sessions using the internal memory, and aresource scheduler module that prevents the communication sessions fromtiming out by allocating memory from the internal memory so that atleast one of the communication sessions is guaranteed to be processed tocompletion.

The invention may provide one or more advantages. For example, thetechniques described herein allow multiple sessions to be processed atthe same time. The techniques allow for improved use of main memory anddetection of bottleneck conditions so that such conditions may bemanaged. The details of one or more embodiments of the invention are setforth in the accompanying drawings and the description below. Otherfeatures, objects, and advantages of the invention will be apparent fromthe description and drawings, and from the claims.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a block diagram illustrating an exemplary enterprise computernetwork in which an anti-virus device schedules processing of incomingpackets in accordance with the principles of the invention.

FIG. 2 is a block diagram illustrating an exemplary embodiment of theanti-virus device in further detail.

FIG. 3 is a block diagram illustrating an exemplary dependency listmaintained by the anti-virus device.

FIG. 4 is a flowchart illustrating exemplary operation of an anti-virusdevice in accordance with the principles of the invention.

FIG. 5A is a flowchart illustrating exemplary operation of theanti-virus device according to a normal mode.

FIG. 5B is a flowchart illustrating exemplary operation of theanti-virus device according to a constrained mode.

FIG. 6 is a flow diagram illustrating exemplary updates made to adependency list maintained by the anti-virus device.

DETAILED DESCRIPTION

FIG. 1 is a block diagram illustrating an exemplary system 2 in whichenterprise 4 includes a private enterprise computing network 5 that iscoupled to public network 6. Firewall 9 protects enterprise network 5and, in particular, internal computing nodes 8A-8N (nodes 8). Nodes 8represent any private computing device within enterprise network 5,including workstations, file servers, print servers, database servers,printers and other devices. Public network 6 may form part of theInternet.

In the example of FIG. 1, enterprise network 5 includes anti-virus (AV)device 10 that resides between firewall 9 and internal computing nodes 8and monitors traffic flowing between firewall 9 and internal computingnodes 8. In general, anti-virus device 10 is capable of interacting withnodes 8 and network devices 16 to facilitate transmission of datathrough public network 6 and, more specifically, to monitor trafficflowing between firewall 9 and nodes 8.

Anti-virus device 10 may be a network security device that provides avariety of security functions, such as analyzing the network traffic todetect network attacks and scanning the network traffic for viruses. Forexample, anti-virus device 10 may act as a proxy between one of nodes 8and one of external network devices 16A-16N (“external network devices16”) located outside of enterprise 4. In one embodiment, anti-virusdevice 10 may be transparent to nodes 8 and external network devices 16.In another embodiment, anti-virus device 10 may operate as a full proxybetween nodes 8 and external network devices 16 so as to maintainseparate communication sessions with the devices.

Nodes 8 and network devices 16 exchange communications usingcommunication sessions such as Transmission Control Protocol (TCP)sessions, which typically include two streams (or connections) of TCPpackets flowing in opposite directions between the devices. For example,external network device 16A may be a server and node 8A may be a clientdevice that requests a web page from the server via a TCP stream. Asanother example, node 8B may be a server and external network device 16Nmay be a client device that uploads information to the server via adifferent TCP stream.

Anti-virus device 10 may process a plurality of communication sessionsbetween nodes 8 and external network devices 16. The techniques of theinvention may allow anti-virus device 10 to reduce connection droppingeven in resource-congested conditions. In one example, anti-virus device10 includes an anti-virus (AV) engine that scans application-layercommunications such as files or web pages sent via the communicationsessions. In accordance with the principles of the invention, anti-virusdevice 10 includes a resource scheduler to manage usage of internalmemory resources as the AV engine processes the plurality of TCPsessions. For example, each time a new session is established, thescheduler receives a request for memory to process the new session, andadds an entry to a dependency list. Entries are generally added to thedependency list in the order the sessions are added. Each entry may, forexample, specify a maximum amount of memory needed to process thesession and an amount of memory reserved by the scheduler for thesession.

The scheduler determines an amount of memory to reserve for processingthe session by comparing the amount required by the newly requestedsession to an amount currently reserved for sessions represented by thedependency list. If the amount currently reserved by the dependency listis less than the amount required by the new session, the schedulerreserves (assigns) an amount of memory equal to the difference betweenthe amount required and the amount currently reserved. In this manner,once the sessions for the previous entries have been processed, enoughreserved memory will be available for processing the new session. If theamount currently reserved is greater than or equal to the amountrequired by the new session, the scheduler need not reserve anyadditional memory, since sufficient memory for the new session isguaranteed to be released once the sessions associated with the previousentries have finished processing.

In some example embodiments, anti-virus device 10 provides control ofongoing TCP sessions by way of TCP window manipulation. For example, inthe absence of any memory bottleneck, the scheduler operates in a normalmode in which the TCP windows for all ongoing sessions remain open. Whenthe scheduler detects a bottleneck condition, the scheduler begins tooperate in a constrained mode, in which the TCP windows for all but asubset of sessions (e.g., the first TCP session) on the dependency listare gradually closed. The scheduler has previously reserved enoughmemory for the first session to complete operation. The scheduler allowsthe first session to finish before reopening the TCP window of the nextsession on the dependency list. The next session on the dependency listinherits the amount of memory that was reserved for the session ahead ofit on the dependency list. As sessions are sequentially processed, thenext session to be processed will inherit the total amount of memoryreserved for all of the sessions ahead of it on the dependency list. Inthis manner, the scheduler is guaranteed to finish each of the sessionson the dependency list in sequence when in the constrained mode. Oncethe bottleneck condition has subsided, the scheduler initiates openingof all of the TCP windows, and resumes processing the sessions inparallel in accordance with the normal mode.

After anti-virus device 10 has completed operation on a session, such ascompleted scanning a file for a virus, anti-virus device 10 may take oneor more programmed actions, such as automatically dropping packet flowsassociated with the application-layer communications within which thevirus was detected. In some embodiments, enterprise network 5 mayinclude multiple anti-virus devices 10 located within different regions(e.g., sub-networks) of enterprise network 5. A security managementdevice (not shown) may operate as a central device for managing theanti-virus devices 10.

Although the example illustrated in FIG. 1 is described in terms of adedicated anti-virus device 10, the techniques may be applied to anyintermediate device that performs operations on communications sessions,such as data compression, encryption and decryption, TCP acceleration,application-layer acceleration, and intrusion detection and prevention.The techniques may also be applied to a firewall that performsanti-virus operations.

Moreover, the functionality described herein may be incorporated withinother devices, such as firewall 9 or switch 15, or within a proxyserver, load balancer, router, gateway, intelligent switch, intelligenthub, or other type of intermediate network device. The techniques aredescribed herein in reference to TCP communications for exemplarypurposes, and may readily be applied to other network communicationprotocols.

FIG. 2 is a block diagram illustrating the exemplary anti-virus device10, described above with respect to FIG. 1, in further detail.Anti-virus device 10 monitors inbound network traffic 24 and forwardsthe network traffic as outbound network traffic 26. In the exampleillustrated by FIG. 2, anti-virus device 10 includes TCP proxy 28,connection management module 30, scheduler 32, and anti-virus (AV)engine 34. Anti-virus device 10 also includes dependency list 36,session list 38, public buffer pool 40, reserved buffer pool 41, andheap 42.

In one example embodiment, anti-virus device 10 may use TCP proxy 28 tointercept and/or establish TCP sessions with nodes 8 and network devices16. In this example, anti-virus device 10 sends and receives packetflows using TCP protocol 28. TCP proxy 28 may participate in a three-wayTCP handshake that initiates a new TCP session. When a new TCP sessionhas been initiated, TCP proxy 28 notifies AV engine 34 of the newsession, and stores information about the new session, such as thesource and destination addresses, memory requirements, and type of databeing transferred, in session list 38. Although described as beingperformed by TCP proxy 28, one or more of these functions may beperformed by an application proxy or other module. When AV engine 34needs to process a file received via the session, AV engine 34 sends arequest to scheduler 32 to reserve memory from reserved pool 41 forprocessing the file. The request specifies an amount of memory requiredto process the session. Scheduler 32 determines an amount of memory toreserve for the session, and adds an entry to dependency list 36.Scheduler 32 may be a dedicated scheduler that is part of an embeddedsystem within anti-virus device 10. Anti-virus device 10 may executeother network communication protocols (not shown). Anti-virus device 10may also present a user interface (not shown) by which an administratormay configure anti-virus device 10. For example, the administrator mayconfigure anti-virus device 10 to monitor particular subnets of theenterprise network.

Heap 42 is a pool of available memory, such as random access memory(RAM). As an example, in an embedded environment of an intermediatenetwork appliance, heap 42 may include 128 megabytes to one gigabyte ofmemory. Public buffer pool 40 and reserved buffer pool 41 representlogical data structures maintained on top of heap 42 that are used forallocating packet buffers to temporarily store incoming TCP packetsusing memory from heap 42. Scheduler 32 reserves an amount of memoryfrom reserved buffer pool 41 sufficient to process at least one sessionto completion at a time. In the absence of excess congestion, scheduler32 allocates packet buffers for all sessions from public buffer pool 40.If congestion occurs, scheduler 32 does not allocate from public bufferpool 40; instead, scheduler 32 allocates packet buffers from reservedbuffer pool 41 based on a maximum amount currently reserved in reservedbuffer pool 41. This is described in further detail below. Anti-virusdevice 10 establishes reserved buffer pool 41 during a system boot topre-reserve memory for processing at least one session. The size ofreserved buffer pool 41 is determined according to customerspecifications. In particular, the size of reserved buffer pool 41 isselected to be as large as the largest potential amount of memory that areceived file is likely to need to process the file. In one embodiment,reserved buffer pool 41 comprises ten megabytes of memory that ispre-reserved for processing at least one session.

As sessions are established, AV engine 34 makes requests to reservememory from reserved buffer pool 41 for processing the sessions.Scheduler 32 calculates an amount of memory to be reserved such that atleast the first session in dependency list 36 can be processed. AVengine 34 may also request memory directly from heap 42. Each of publicbuffer pool 40 and heap 42 have two associated memory usage“watermarks,” i.e., first and second respective predetermined amounts ofmemory remaining, that trigger certain actions by AV device 10 whenreached. In particular, each of public buffer pool 40 and heap 42 has a“low” watermark and a “too low” watermark. When the memory usage has notyet reached either of the “low” watermarks, scheduler 32 operates in afirst mode (referred to as a “normal mode”) by continuing to process allof the pending sessions, as described in further detail with respect toFIG. 5A. When the memory usage has reached one or both of the “low”watermarks, scheduler 32 operates in a second mode (referred to as a“constrained mode”) by causing connection management module 30 to closethe TCP windows for every session other than the first entry independency list 36, as described in further detail with respect to FIG.5B. The watermark values may be hard-coded or programmably configured.Example “too low” watermark values are six megabytes remaining for heap42 and eight megabytes remaining for public buffer pool 40. Example“low” watermark values are twelve megabytes remaining for heap 42 andsixteen megabytes remaining for public buffer pool 40 (i.e., an amountdouble the “two low” watermark values).

Scheduler 32 monitors the use of public buffer pool 40 and heap 42 as AVengine 34 processes files associated with a plurality of sessions. Inparticular, when one or both of pools 40, 42 reaches a memory usagewatermark, scheduler 32 switches from operating in a normal mode tooperating a constrained mode. In the normal mode, connection managementmodule 30 keeps the TCP windows for all ongoing sessions open. Scheduler32 maintains dependency list 36 as a subset of session list 38, and usesdependency list 36 when operating in the constrained mode to control theflow of incoming packets.

Scheduler 32 may add sessions to dependency list 36 in the order thatscheduler 32 receives requests to reserve memory for the sessions. Inthe constrained mode, scheduler 32 sets flags that causes connectionmanagement module 30 to close the TCP windows for a subset of thesessions (e.g., all but the first session) on the dependency list 36. Asa result, for each closed TCP window, the TCP session peer will stopsending traffic on the TCP session. When adding sessions to dependencylist 36, scheduler 32 reserves enough memory in reserved buffer pool 41for at least the first session to be processed. By reserving memory forsessions within the dependency list and forcing AV engine 34 to processonly one session at a time when in the constrained mode, scheduler 32guarantees that at least one session will be finished when operating inthe constrained mode. Moreover, scheduler 32 guarantees that each of thesessions in the dependency list can sequentially be processed.

When the session is completed, scheduler 32 checks public buffer pool 40and heap 42 to determine whether either of the watermarks is stillexceeded. If so, scheduler 32 continues in the constrained mode, andprocesses the next session on the dependency list by opening thatsession's TCP window. If neither of the watermarks are exceeded,scheduler 32 switches back to the normal mode and connection managementmodule 30 opens all of the TCP windows. AV engine 32 resumes processingthe plurality of sessions in parallel.

In one example embodiment, anti-virus device 10 identifies packet flowsin the monitored traffic, and transparently reassemblesapplication-layer communications from the packet flows. An HTTP decoderidentifies each request/response within the TCP connection as adifferent transaction. Scheduler 32 allocates a packet buffer frompublic buffer pool 40. TCP proxy 28 copies incoming packets associatedwith a TCP session to the packet buffer allocated from public bufferpool 40. Anti-virus device 10 may then put the packet buffer into a linklist. AV engine 34 reassembles an application-layer communication fromthe data in the packet buffer, and scans the entire application-layercommunication (e.g., a file or web page) for viruses. In the event noviruses are found, AV engine 34 breaks the application-layercommunication back into pieces, which TCP proxy 28 then sends out to thedestination of the communication in the form of packets. TCP proxy 28informs scheduler 32 that processing associated with the session isfinished, and scheduler 32 removes the completed session from dependencylist 36 and makes the reserved memory available. A session may be addedto the dependency list each time processing is to be performed for thesession, i.e., when new work is detected for a session, such that asubsequent download may be detected as a new “session” as the term isused herein.

Example application programming interface (API) commands used byanti-virus device 10 are set forth below in Table 1.

TABLE 1 API Function void This function is used by AV engine 34 tonotify scheduler 32 apppry_sched_add_obj that a new session is created.(av_ctx_t *av_ctx, size_t The content_sz is the total memory resourcerequired by the content_sz) new session. If content_sz is 0, thenscheduler 32 uses the max content size supported by the current system.The av_ctx is used by scheduler 32 to identify an AV connection(request). void This function is used by AV engine 34 to notifyscheduler 32 apppry_schduler_com- that a session is to be removed. pleteobj(av_ctx_t *av_ctx) int This function is called by TCP Proxy 28 toallocate a new apppry_sched_get_net_pak portion of public buffer pool 40or reserved buffer pool 41. ( void *tcb, void The void *tcb is a TCPproxy session descriptor. *flow_id, size_t sz, uint The flow_id is usedby scheduler 32 to map a tcb to av_ctx. app_id, net_pak_t **pak) The szis for buffer size. The app_id is used to identify the user of theportion of the buffer pool. The pak is an output pointer that points tothe newly allocated portion of the buffer pool. void This function iscalled by Scheduler 32 to open the TCP apppry_sched_update_win windowfor a session: (asp_tcb_t *tcb) The tcb is used to identify a TCP Proxysession. This function will trigger TCP Proxy to reopen all un-openedwindows on a session.

FIG. 3 is a block diagram illustrating an exemplary dependency list 36maintained by scheduler 32 of FIG. 2. In the example embodiment of FIG.2, dependency list 36 includes a plurality of session entries 43. Asdescribed in further detail below with respect to FIG. 6, scheduler 32adds a session entry to dependency list 36 when AV engine 34 detectsthat a new session has been established by TCP proxy 28 and requestsmemory to be reserved for the new session. Dependency list 36 includesan entry identifier column 44. An entry identifier 44 is used to labeleach of the session entries 43, and may indicate the order in which thesessions were added to dependency list 36.

In this example, dependency list 36 also includes a “memory required”column 46, which indicates the amount of memory (e.g., in bytes) that isrequired to process an object (e.g., a file) associated with thesession. For example, when scheduler 32 receives notification from AVengine 34 that TCP proxy 28 has detected a new session or new work to beperformed for an existing session, scheduler 32 also receives a requestfrom AV engine 34 to reserve memory in reserved buffer pool 41. Therequest indicates the amount of memory that will be required to processthe session. As one example, AV engine 34 may predict the amount ofmemory that a session will require based on the protocol associated withrequest for the session. As another example, if AV engine 34 is unableto determine an amount of memory required for the session, AV engine 34may indicate this by specifying that the session requires zero memory.In response, scheduler 32 may assume the session will take the maximumamount the system can provide. This amount may be configured as apre-defined amount, such as ten megabytes. If a received file requiresmore than the maximum amount, in some embodiments anti-virus device 10will drop the file, while in other embodiments anti-virus device 10 willforward the file without scanning by AV engine 34.

Dependency list 36 also includes a memory reserved column 48, whichshows an amount of memory (e.g., in bytes) that scheduler 32 hasreserved for the session entry. Scheduler 32 determines an amount ofmemory in buffer pool 40 to reserve for processing the session bycomparing the amount required to an amount currently reserved inreserved buffer pool 41 for sessions already stored within dependencylist 36. If the amount currently reserved is less than the amountrequired by the new session, scheduler 32 reserves memory in reservedbuffer pool 41 equal to the difference between the amount required andthe amount currently reserved. Thus, once the sessions for the previousentries have been processed (i.e., the work for those sessions have beenprocessed), enough reserved memory will be free for processing the newsession. In other words, the new session inherits the total amount ofreserved memory assigned to the sessions ahead of it in the dependencylist. If the amount currently reserved is greater than or equal to theamount required by the new session, scheduler 32 does not reserve anyadditional memory, since sufficient memory for the new session will bereleased once the previous entries have finished processing. In someembodiments, dependency list 36 may contain additional information thanis illustrated in the example of FIG. 3. As another example, dependencylist 36 may factor in the priority levels of different sessions, insteadof being organized solely on a first-come, first-served basis.

Dependency list 36 may be composed of a subset of the entries of sessionlist 38. Anti-virus device 10 may maintain session list 38 anddependency list 36 in the form of one or more tables, databases, linklists, radix trees, databases, flat files, or any other data structures.In another embodiment, scheduler 32 may maintain multiple dependencylists to increase system performance. Using more than one dependencylist may result in higher throughput when operating in the constrainedmode, since multiple “first” session entries will be processed at onetime (i.e., the first session on each dependency list).

FIG. 4 is a flowchart illustrating exemplary operation of anti-virusdevice 10 in accordance with the principles of the invention. TCP proxy28 participates in creation of a new session between one of nodes 8 andanother network device, such as external network device 16A. TCP proxy28 notifies AV engine 34 of the new session (50). Scheduler 32 receivesa request from AV engine 34 to reserve memory resources from reservedbuffer pool 41 for the new session (51). Scheduler 32 compares theresource requirement of the new session to an amount currently reservedin reserved buffer pool 41 for all sessions already in dependency list36 (52). Scheduler 32 may maintain the “currently reserved” amount aspart of dependency list 36, or in a separate data structure. When therequirement of the new session is less than or equal to the currentlyreserved amount (NO branch of 54), scheduler 32 simply adds a new entryto dependency list 36, and does not reserve any additional memory ofreserved buffer pool 41 (55). This is because once AV engine 34 finishesprocessing the sessions ahead of the session being added to dependencylist 36, then sufficient memory resources will be available forprocessing the new session.

When the requirement of the new session is greater than the currentlyreserved amount (YES branch of 54), scheduler 32 reserves additionalmemory from reserved buffer pool 41 to the new session to cover thedifference (56), so that when AV engine 34 finishes processing thesessions ahead of the new session on dependency list 36, sufficientmemory resources will be available for processing the new session. Inparticular, scheduler 32 reserves an amount of memory equal to thedifference between the memory required by the new session and the amountcurrently reserved for existing sessions. Scheduler 32 adds a new entryto dependency list 36 for the new session (58), and updates the stored“currently reserved” amount (59).

FIG. 5A is a flowchart illustrating exemplary operation of anti-virusdevice 10 according to the normal mode. When TCP proxy 28 receives dataover the session (60), TCP proxy 28 asks scheduler 32 to allocate a newpacket buffer for the received data (62). At this time scheduler 32checks the “low” watermarks for public buffer pool 40 and heap 42. Ifone or both of the watermarks have been reached (YES branch of 63),connection management module 30 initiates closing of the TCP windows forall sessions except the first session on dependency list 36 in responseto a flag set by scheduler 32 (64), and begins operating in theconstrained mode (“B” of FIG. 5B). If neither of the watermarks isreached, scheduler 32 continues in the normal mode (NO branch of 64).Scheduler 32 allocates a packet buffer from public buffer pool 40 (65).TCP proxy 28 copies the received data to the allocated packet buffer(66). AV engine 34 assembles the file from buffer pool 40 once TCP proxy28 has copied data corresponding to the entire file to buffer pool 40(68).

AV engine 28 then scans the file for any viruses (70). In the event AVengine 28 detects a virus (YES branch of 72), anti-virus device 10 maytake one or more programmed actions, such as automatically droppingpacket flows associated with the application-layer communications withinwhich the virus was detected (74). If AV engine 28 does not detect anyviruses (NO branch of 104), TCP proxy 28 sends the file out to itsdestination (76). AV engine 28 notifies scheduler 32 the session isfinished, and that the memory from this session is now available (78).Scheduler updates the dependency list by removing the entry associatedwith the session that has been completed, and recalculating thedependency list in view of the memory that has been made available (80).

FIG. 5B is a flowchart illustrating exemplary operation of anti-virusdevice 10 according to the constrained mode. When operating in theconstrained mode, TCP proxy 28 may receive data over the first session(90). TCP proxy 28 asks scheduler 32 to allocate a new packet buffer forthe received data (92). At this time scheduler 32 checks the “low”watermarks for public buffer pool 40 and heap 42 to see if they arestill reached. If neither of the watermarks is reached, connectionmanagement module 30 initiates opening of the TCP windows for othersessions on the dependency list in response to a flag set by scheduler32 (93) and scheduler 32 returns to operating in the normal mode (NObranch of 94) (“A” of FIG. 5A). If one or both of the watermarks isstill reached (YES branch of 94), scheduler 32 checks the “too low”watermarks for public buffer pool 40 and heap 42. If neither of the “toolow” watermarks has been reached (NO branch of 96), scheduler 32allocates a packet buffer from public buffer pool 40 (97). If either ofthe “too low” watermarks has been reached (YES branch of 96), or if theallocation from the public buffer pool 40 fails (YES branch of 95),scheduler 32 allocates a packet buffer from reserved buffer pool (98).As mentioned, in some cases scheduler 32 will not be able to allocate apacket buffer from public buffer pool 40 even where the “too low”watermark has not yet been reached for public buffer pool 40. Forexample, this may result from fragmentation.

TCP proxy copies the received data to the allocated packet buffer (99).AV engine 34 assembles the file from buffer pool 40 once TCP proxy 28has copied data corresponding to the entire file to the allocated packetbuffer (100). AV engine 28 then scans the file for any viruses (102). Inthe event AV engine 28 detects a virus (YES branch of 104), anti-virusdevice 10 may take one or more programmed actions, such as automaticallydropping packet flows associated with the application-layercommunications within which the virus was detected (106). If AV engine28 does not detect any viruses (NO branch of 104), TCP proxy 28 sendsthe file out to its destination (108). AV engine 28 notifies scheduler32 the session is finished, and that the memory from this session is nowavailable (110). Scheduler updates the dependency list by removing theentry associated with the session that has been completed, andrecalculating the dependency list in view of the memory that has beenmade available (112). Scheduler 32 may again check again to see whetherany of the memory usage watermarks have been reached by the system, andreturn to operating in the normal mode of FIG. 5A. (114). If any of thewatermarks is still reached, scheduler 32 continues operating in theconstrained mode, and opens the TCP window for the next session ondependency list 36 (114).

FIG. 6 is a flow diagram illustrating exemplary updates made to adependency list 36 maintained by anti-virus device 10. That is, FIG. 7is an example that illustrates how dependency list 36 changes over timeas new sessions are added and existing sessions are completed andremoved. As shown in dependency list 36A, a first session entry is addedthat requires three megabytes of memory, and scheduler 32 has reservedthree megabytes of buffer pool 40 for this session. The amount of memorycurrently reserved is three megabytes. Some time later, a second sessionentry is added, as shown in 36B. The second session requires twomegabytes of memory. Scheduler 32 compares the required memory to theamount of memory currently reserved. Since the required memory of thenew session is less than the amount of memory currently reserved,scheduler 32 reserves zero additional megabytes of memory for the secondentry, since the first session will free up sufficient memory (threemegabytes) upon completion to cover the needs of the second session. Theamount of memory currently reserved is still three megabytes.

Some time later, a third session entry is added, as shown in 36C. Thethird session requires five megabytes of memory. Scheduler 32 comparesthe required memory to the amount of memory currently reserved. Sincethe required memory of the new session is greater than the amount ofmemory currently reserved, scheduler 32 reserves two additionalmegabytes of memory for the third entry. As a result, once the first andsecond sessions have completed, three megabytes will become available.With the addition of the two megabytes reserved for the third session,five megabytes will be available for processing the third session. Theamount of memory currently reserved is five megabytes.

Some time later, a fourth session entry is added, as shown in 36D. Thefourth session requires ten megabytes of memory. Scheduler 32 reservesfive additional megabytes of memory for the third entry, which is equalto the difference between the memory required and the currently reservedfive megabytes. The amount of memory currently reserved is now tenmegabytes.

Some time later, a fifth session entry is added, as shown in 36E. Thefifth session requires eight megabytes of memory. Scheduler 32 comparesthe required memory to the amount of memory currently reserved. Sincethe required memory of the new session is less than the amount of memorycurrently reserved, scheduler 32 reserves zero additional megabytes ofmemory for the fifth entry, since the preceding sessions will free upsufficient memory upon completion to cover the needs of the fifthsession. The amount of memory currently reserved is still ten megabytes.

Some time later, the fourth entry of dependency list 36E has completedand is removed from the dependency list, as shown in dependency list36F. The fifth session moves up to become the fourth session andscheduler 32 recalculates the dependency list. Entries one through threeremain the same. Scheduler reserves three megabytes of memory frombuffer pool 40 to cover the difference between the amount that willbecome available after the previous sessions are completed, and theamount required by the fourth entry. The amount of memory currentlyreserved is now eight megabytes. As this example illustrates, sessionsare not necessarily completed in the order they were added to dependencylist 36, particularly when scheduler 32 is operating in normal mode.

Some time later, the first entry of dependency list 36F has completedand is removed from the dependency list, as shown in dependency list36G. Scheduler 32 moves each of the remaining sessions up in thedependency list, and recalculates the dependency list. The session ofthe first entry of dependency list 36G requires two megabytes of memory,so scheduler 32 reserves two megabytes of memory to the first session.The second session on dependency list 36G requires five megabytes ofmemory, which is three megabytes more than is reserved for previoussessions, so scheduler 32 reserves three megabytes of memory to thesecond session. The third session on dependency list 36G requires eightmegabytes of memory, which is three megabytes more than is reserved forprevious sessions, so scheduler 32 reserves three megabytes of memory tothe third session. The amount of memory currently reserved is eightmegabytes.

Various embodiments of the invention have been described. These andother embodiments are within the scope of the following claims.

1. A method for processing communication sessions within a securitydevice, the method comprising: maintaining a dependency list ofcommunication sessions, wherein the dependency list specifies an orderin which to process the communications sessions, and wherein for eachcommunication session the dependency list specifies an amount of memorycurrently reserved for the communication session; receiving a request toreserve memory for processing a new communication session; determiningwhether an amount of memory required to process the new communicationsession is greater than a total amount of memory reserved for thecommunication sessions already listed within the dependency list; whenthe amount of memory required to process the new communication sessionis greater than the total amount of memory reserved for thecommunication sessions already listed within the dependency list,reserving memory for the new communication session in an amount equal toa difference between the amount of memory required to process the newcommunication session and the total amount of memory currently reservedfor the communication sessions already listed to guarantee thatprocessing of the new communication session can be completed uponprocessing the communication sessions already listed within thedependency list; and processing the communication sessions with thesecurity device in accordance with the dependency list.
 2. The method ofclaim 1, wherein processing the communication sessions comprisesscanning files received via the communication sessions to detectviruses.
 3. The method of claim 1, further comprising: when availablememory has not reached a predetermined amount remaining, processing thecommunication sessions in a first mode comprising processing thecommunication sessions in parallel; and when available memory reaches apredetermined amount remaining, processing the communication sessions ina second mode comprising processing the communication sessionssequentially in accordance with the dependency list.
 4. The method ofclaim 3, wherein processing the communication sessions in the secondmode comprises dynamically initiating closing of communication windowsfor the communication sessions other than the first communicationsession on the dependency list.
 5. The method of claim 1, furthercomprising: when the amount of memory required to process the newcommunication session is less than or equal to the total amount ofmemory reserved for the communication sessions already listed within thedependency list, reserving no additional memory for the newcommunication session.
 6. The method of claim 1, wherein the amount ofmemory required to process the new communication session is determinedbased on protocol information associated with the new communicationsession.
 7. The method of claim 1, wherein when the request indicatesthat no memory is required to process the new communication session,reserving memory for the new communication session comprises reserving apredetermined maximum amount of memory for the new communicationsession.
 8. The method of claim 1, further comprising: maintaining aheap of available memory; and maintaining a public buffer pool and areserved buffer pool as logical data structures on top of the heap thatare used for allocating packet buffers to store packets received via thecommunication sessions; processing the communication sessions in a firstmode when neither the available memory within the heap nor availablememory within the public buffer pool has reached a respectivepredetermined amount; and processing the communication sessions in asecond mode when either the available memory within the heap or theavailable memory within the public buffer pool has reached a respectivepredetermined amount.
 9. The method of claim 8, wherein processing thecommunication sessions in the first mode comprises: allocating a packetbuffer from the public buffer pool to store the received packets, andwherein processing the communication sessions in the second modecomprises: allocating a packet buffer from the public buffer pool tostore received packets when neither the available memory within the heapnor the available memory within the public buffer pool has reached asecond respective predetermined amount, and allocating a packet bufferfrom the reserved buffer pool to store received packets when either theavailable memory within the heap or the available memory within thepublic buffer pool has reached the second respective predeterminedamount.
 10. The method of claim 1, further comprising adding the newcommunication session to the dependency list.
 11. The method of claim 1,wherein the communication sessions are Transmission Control Protocol(TCP) sessions.
 12. A network security device comprising: a schedulerthat maintains a dependency list of communication sessions, wherein thedependency list specifies an order in which to process thecommunications sessions, and wherein for each communication session thedependency list specifies an amount of memory currently reserved for thecommunication session; a proxy module that receives a request to reservememory for processing a new communication session; wherein the schedulerdetermines whether an amount of memory required to process the newcommunication session is greater than a total amount of memory reservedfor the communication sessions already listed within the dependencylist; wherein when the amount of memory required to process the newcommunication session is greater than the total amount of memoryreserved for the communication sessions already listed within thedependency list, the scheduler reserves memory for the new communicationsession in an amount equal to a difference between the amount of memoryrequired to process the new communication session and the total amountof memory currently reserved for the communication sessions alreadylisted to guarantee that processing of the new communication session canbe completed upon processing the communication sessions already listedwithin the dependency list; and an anti-virus engine that processes thecommunication sessions in accordance with the dependency list.
 13. Thenetwork security device of claim 12, wherein the anti-virus engine scansfiles received via the communication sessions to detect viruses.
 14. Thenetwork security device of claim 12, wherein when available memory hasnot reached a predetermined amount remaining, the scheduler operates ina first mode to cause the anti-virus engine to process the communicationsessions in parallel; and wherein when available memory reaches apredetermined amount remaining, the scheduler operates in a second modeto cause the anti-virus engine to process the communication sessionssequentially in accordance with the dependency list.
 15. The networksecurity device of claim 14, further comprising a connection managementmodule that dynamically initiates closing of communication windows forthe communication sessions other than the first communication session onthe dependency list when the scheduler operates in the second mode. 16.The network security device of claim 12, wherein the scheduler reservesno additional memory for the new communication session when the amountof memory required to process the new communication session is less thanor equal to the total amount of memory reserved for the communicationsessions already listed within the dependency list.
 17. The networksecurity device of claim 12, further comprising: a heap of availablememory; and a public buffer pool and a reserved buffer pool maintainedas logical data structures on top of the heap and used for allocatingpacket buffers to store packets received via the communication sessions,wherein the scheduler operates in a first mode when neither theavailable memory within the heap nor available memory within the publicbuffer pool has reached a respective predetermined amount, and whereinthe scheduler operates in a second mode when either the available memorywithin the heap or the available memory within the public buffer poolhas reached a respective predetermined amount.
 18. The network securitydevice of claim 12, wherein the proxy module is a Transmission ControlProtocol (TCP) proxy module, and wherein the communication sessions areTCP sessions.
 19. The network security device of claim 12, wherein thenetwork security device comprises an anti-virus device that resideswithin an enterprise network between a firewall and a plurality ofinternal computing nodes.
 20. A computer-readable storage mediumcomprising instructions for causing a programmable processor to:maintain a dependency list of communication sessions, wherein thedependency list specifies an order in which to process thecommunications sessions, and wherein for each communication session thedependency list specifies an amount of memory currently reserved for thecommunication session; receive a request to reserve memory forprocessing a new communication session; determine whether an amount ofmemory required to process the new communication session is greater thana total amount of memory reserved for the communication sessions alreadylisted within the dependency list; when the amount of memory required toprocess the new communication session is greater than the total amountof memory reserved for the communication sessions already listed withinthe dependency list, reserve memory for the new communication session inan amount equal to a difference between the amount of memory required toprocess the new communication session and the total amount of memorycurrently reserved for the communication sessions already listed; andprocess the communication sessions with the security device inaccordance with the dependency list.